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METHOD OF GENERATING ELECTRONIC KEYS FOR A 
PUBL IC-KEY CRYPTOGRAPHY METHOD AND A SECURE PORTABLE 
OBJECT USING SAID METHOD 

5 

The invention relates to a method of generating 
electronic keys for a public-key cryptography method. 
It also relates to a secure portable object using the 
method. 

10 

The invention relates more particularly to the 
generation of keys for an RSA-type cryptography system 
and to their storage on a secure object with a view to 
using them in an application requiring security. 

15 

The invention applies most particularly to secure 
objects which do not have a large memory resource, such 
as an electrically programmable memory, or powerful 
calculation resources, as is the case for chip cards. 
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One application of the invention is electronic 
commerce using a mobile telephone. In this context, the 
keys may be on the SIM card of the telephone. 

5 It is provided that some application programs use 

such keys to carry out a transfer of confidential data, 
in an electronic commerce context for example. 
Hereinbelow, it will be considered that these 
applications are provided by a service provider. 

10 

Moreover, it is known that, in order to guarantee 
the integrity of the key, a certificate provided by a 
certification authority is usually associated 
therewith. 

15 

Among these public-key cryptography methods, the 
text below deals with the RSA (Rivest Shamir and 
Adleman) cryptography protocol. This protocol uses a 
step of generating large prime numbers which takes up a 
20 lot of calculation time and memory space. 

It will be recalled that this RSA cryptography 
protocol allows information encryption and/or 
authentication between two entities and/or the 
25 electronic signing of messages. 

The RSA cryptography protocol is used most 
frequently because it has properties which allow it to 
be used both for encryption and for signature 
30 generation. 

To do this, the RSA cryptography system comprises 
a "public" algorithm which performs the encryption or 
signature verification function and a "private" 
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algorithm which performs the decryption or signature 
generation function . 

The security thereof is based on the difficulty 
5 in factoring a public integer N of large size which is 
the product of the two secret prime numbers p and q of 
large size, the pair (p,q) being used in the 
calculation of the secret key d which is used by the 
decryption function or by the signature calculation 
10 function. 

In order to better understand the problem which 
will be discussed below, a summary is given of the 
parameters used in an RSA cryptography scheme: 
15 1) the public exponent e: 

This is specific to an application and is 
provided by this application. It is thus common to all 
the users of this same application. 

2) the parameters p and q: 

20 These are generated from a calculation which 

takes up a lot of time. They usually have the same 
length (same size) . This length is conventionally 512 
bits. In order to increase security, this length may 
extend from 512 bits to 2048 bits, 2048 bits being 

25 envisaged for the future. 

3) N is the public modulus and is calculated 
from the following relation: 

N = p*q 

The key of the algorithm is said to be of 
30 length £ when the public modulus N is of length t. This 
length is set by the application (or service provider) . 

4) the parameters e and N form the public 

key. 
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5) the private key d is calculated from the 
following relation : 

d = l/e[mod(p-l) (q-1) ] ; (l/e=e~ 1 ) 
i.e. ed = 1 [(mod ppcm(p-l, q-1)]; ppcm is 
5 the smallest common multiple, 

the secret parameters are formed by the 
triplet (d, p, q) . 

6) the "normal" form of the private key is: 
(d, N) . 

10 6) the CRT (Chinese Remainder Theorem) form 

of the private key is: 

in this case the private key comprises 5 
parameters : 

P, q 

15 dp with dp = d mod(p-l) 

d q with d q = d mod (q-1) 
I q with I q = q" 1 modp. 

The principle of generating a key according to 
20 the RSA scheme therefore consists, as can be seen, in 
generating a private key d from a public exponent e (or 
public key) which is set by the application, the 
parameters p, q being generated such that p*q = N, the 
length f of N being fixed. 

25 

When a number of applications are provided, each 
service provider provides its public exponent e and the 
length of the public modulus N, so that the 
corresponding private key d can be generated. 

30 

Thus, carrying out an RSA key calculation 
requires knowledge of the public exponent e and of the 
length i of the key of the algorithm, that is to say the 
length of the modulus N. With the input data e and 0, 
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there remains to be generated the pair of prime numbers 
p and q such that the latter satisfy the following 
conditions : 

(i) p-1 and q-1 are prime numbers with e and 
5 (ii) N = p*q is an integer of length 0. 

These constraints take up a lot of calculation 

time. 

10 In this respect, it will be recalled that the 

generation and storage of keys for portable objects 
such as chip cards are today carried out in two ways as 
follows : 

15 According to a first way, the calculation of an 

RSA key is carried out on a server in order to benefit 
from considerable calculation power. For more security, 
a certificate is required which is downloaded with the 
key within the secure object during its personalization 

20 phase. 

This solution has two drawbacks: 

on the one hand, despite the relatively 
secure context of the personalization, theft or 
25 duplication of the key may occur on account of its 
transfer from the server to the secure object, and 

- on the other hand, each key is loaded into 
the object in an initial personalization phase, which 
requires that a maximum number of keys be provided in 
30 each object in order to be able to anticipate future 
requirements . 

In practice, there are stored in the portable 
object sets of keys and certificates corresponding to 
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each application that is likely to be used, without 
knowing whether these keys will actually be used at a 
later date. A large amount of memory space is 
needlessly taken up. For example, 0.3 Kbytes are 
5 required for an RSA key having a modulus of 1024 bits, 
whereas cards at present have at most 32 Kbytes of 
programmable memory. Moreover, a large number of 
certificates is purchased from the certification 
authority, and this is expensive. 

10 

Last but not least is the drawback that it is not 
possible to add new keys as and when new applications 
are envisaged. 

15 According to a second solution, the calculation 

may be carried out within the secure object. This 
overcomes the first drawback of the above solution but 
creates a large amount of processing within the secure 
object, which has a small calculation capacity. 

20 

When the generation of an RSA key is carried out 
by a portable object such as a chip card, if the 
imposed length of the RSA key is 2048 bits, the 
calculation then takes 30 seconds with a powerful 
25 algorithm. 

Although this calculation time is acceptable for 
some applications since the RSA keys are generated just 
once for a given application, it is not satisfactory 
30 for mobile telephony services (GSM for example) since 
this operation is renewed each time the SIM card is 
changed and a larger number of keys has to be provided 
in order to meet the requirements of different 
applications . 
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Due to a need for considerable calculation 
resources, the keys are always created during the 
personalization phase from the public exponents e 
5 provided by the various service providers. This 
calculation step cannot be carried out subsequently 
since it would paralyze operation of the object. 

In practice, this calculation is not carried out 
10 by the card. This is because this calculation is 
lengthy and it could slow down the personalization 
phase, and also its duration varies and could prove to 
be incompatible with the personalization methods of the 
chip cards . 

15 

Moreover, this solution still has the second 
drawback of the preceding solution, namely the need for 
memory space. 

20 The object of the present invention is to solve 

these problems. 

More precisely, the object of the invention is to 
solve the problem of the calculation complexity 
25 associated with managing the generation of keys and 
also the problem of the lack of flexibility due to the 
initial and definitive storage of a large number of 
keys and certificates during the personalization phase. 

30 To this end, one object of the present invention 

relates to a method of generating electronic keys d for 
a public-key cryptography method using an electronic 
device, mainly characterized in that it comprises two 
separate calculation steps: 
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Step A 

1) calculating pairs of prime numbers (p,q) or 
values representative of pairs of prime 
numbers, this calculation being independent 
5 of knowledge of the pair (e,l) in which e is 

the public exponent and 1 is the length of 
the key of the cryptography method, 1 also 
being the length of the modulus N of said 
method, 

10 2) storing the pairs or values thus 

obtained; 

Step B 

calculating the key d from the results of 
step A and knowledge of the pair (e,l). 

15 

According to a first variant, step A-l) consists 
in calculating pairs of prime numbers (P/q) without 
knowledge of the public exponent e or of the length 1 
of the key, using a parameter II which Is the product of 
20 small prime numbers- In this way, pair (p,q) obtained 
in step A has a maximum probability of being able to 
correspond to a future pair (e,l) and will make it 
possible to calculate a key d when step B is carried 
out . 

25 

According to another variant which depends on the 
preceding variant, the calculation A-l) also takes 
account of the fact that e has a high probability of 
forming part of the set {3, 17, 2 16+1 }, and for this 

30 use is made in the calculation of step A of a seed a 
which makes it possible to calculate not pairs (p,q) 
but a representative value referred to as the image of 
the pairs (p, q) . 
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The storage A-2) then consists in storing this 
image. This makes it possible to gain memory space 
since an image is smaller than a prime number p or q, 
for example 32 bytes compared to 128 bytes. 

5 

According to a third variant, a calculation of 
pairs (p,q) is carried out for different probable pairs 
(e,l). In practice, the parameter n will contain the 
usual values of e, for example 3, 17. 

10 

According to a fourth variant, step A-l) 
comprises an operation of compressing the calculated 
pairs (p,q) and step A-2) then consists in storing the 
compressed values thus obtained. 

15 

Step B comprises the verification of the 
following conditions for a given pair (e,fl) : 

(i) p-1 and q-1 are prime numbers with e and 

(ii) N=p*q is an integer of length 0. 

20 

According to one preferred embodiment, step A-l) 
comprises the generation of a prime number q, the 
selection of a lower limit B 0 for the length fi 0 of this 
prime number that is to be generated, such that C 0 ^ B 0 , 
25 for example B 0 = 256 bits, and it also comprises the 
following sub-steps : 

1) calculating parameters v and w from the 
following relations and storing them: 
v = V2 2 '°" 1 /n 
30 w = 2'° /n 

in which n is stored and corresponds to the 
product of the f smallest prime numbers, f being 
selected such that II < 2 B ° , 
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2) selecting a number j within the range of 
integers {v, w-1} and calculating C=j II; 

3) selecting and storing a prime number k of 
short length compared to the length of an RSA key 

5 within the range of integers {0, 11-1} , (k, 11) 

being co-prime; 

4) calculating q=k+0, 

5) verifying that q is a prime number, if q 
is not a prime number then: 

10 a) taking a new value for k using the 

following relation : 

k = a k (mod Tl) ; a belonging to the 
multiplicative group Z* n of integers modulo II; 

b) repeating the method from sub-step 4). 

15 

Advantageously, step B comprises, for a pair 
(p,q) obtained in step A and a given pair (e,l): 

- verifying the following conditions: 

(i) p-1 and q-1 are prime numbers with e and 
20 (ii) N=p*q is an integer of length 0, 

- if the pair (p,q) does not satisfy these 
conditions : 

- selecting another pair and repeating the 
verification until a pair is suitable, 

25 - calculating the key d from the pair (p,q) 

obtained at the end of this verification. 

The invention also relates to a secure portable 
object able to generate electronic keys d of an RSA- 
30 type cryptography algorithm, characterized in that it 
comprises at least: 

- communication means for receiving at least 
one pair (e, 1) , 
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- a memory for storing the results of a step 
A consisting in: 

calculating pairs of prime numbers (p,q) 
or values representative of pairs of prime 
5 numbers, this calculation being independent of 

knowledge of the pair (e,l) in which e is the 
public exponent and 1 is the length of the key 
of the cryptography method, 1 also being the 
length of the modulus N of said method, 
10 a program for implementing a step B 

consisting in: 

calculating a key d from the results of 
step A and knowledge of a pair (e,l). 

15 The secure portable object also comprises a 

program for implementing step A, steps A and B being 
separate in terms of time. 

The secure portable object may consist of a chip 

20 card. 

Other features and advantages of the invention 
will emerge clearly from reading the description which 
is given below by way of non-limiting example and with 
25 reference to the single figure which shows a diagram of 
a system for carrying out the method. 

The rest of the description is given within the 
context of application of the invention to a portable 
30 object of the chip card type, and for simplification 
this will be referred to as a chip card. 

According to the proposed method, the generation 
of keys is carried out in two separate steps. 
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The first step A comprises a calculation of pairs 
of prime numbers (p,q) or of values representative of 
pairs of prime numbers referred to as an image. 

5 

The pairs (p,q) obtained are stored. 

This calculation is complex and it is even more 
complex if a conventional prime number generation 
10 algorithm is used. 

It is proposed here that this calculation be 
carried out independently of knowledge of the pair 
(e,l) . 

15 

As will be detailed below, one preferred 
embodiment for carrying out this step makes it possible 
to simplify the calculations and to limit the memory 
space needed to store the pairs (p,q) obtained, by 
20 storing an image of these pairs. 

The second step B comprises the calculation 
proper of the key d from the results of step A and 
knowledge of the pair (e,l). 

25 

This calculation comprises, for a pair (p f q) 
obtained in step A and a given pair (e,l): 

- verification of the following conditions: 
(i) p-1 and q-1 are prime numbers with e and 
30 (ii) N=p*q, this number must be an integer of 

length <!, 

if a pair (p,q) does not satisfy these 
conditions, another pair is selected and the 
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verification is repeated until a pair is suitable among 
the pairs obtained in step A. 

- it is then possible to proceed with the 
calculation of the key d from the pair (p,q) obtained 
5 at the end of this verification. 

The first step, which corresponds to a relatively 
complex calculation compared to the second step, may be 
carried out by an element other than the chip card, for 
10 example by a server. In this case, the results of the 
calculation of this first step may be loaded onto a 
chip card during personalization. 

The calculation of step A may also be carried out 
15 by the card itself at any given instant which does not 
disturb the user of this card. For example, this 
calculation may be carried out during personalization 
of the card or subsequently. 

20 In practice, during use of the card, in order to 

obtain a service, if a private key is required then the 
public key is provided by the service provider 
(possibly remotely if it is not already stored in the 
card) in order to generate the private key. This 

25 generation step (calculation step B) is carried out 
rapidly by the card. 

It can be seen therefore that new applications 
which require the calculation of a private key d can be 
30 provided for a card. 

It can also be seen that there is no need to 
associate a certificate with the pairs (p,q) since they 
are not associated with a private key. 



Thus, the generation of a private key can be 
carried out on board, that is to say by the card 
itself, with a 10-fold gain in execution time compared 
5 to the key generation methods known to date* 

In the text which follows, a description will be 
given of one preferred embodiment for carrying out step 
A. This embodiment is particularly advantageous for use 
10 on board a chip card since it makes it possible to 
optimize both the memory space and the calculation 
time . 

Firstly, in order to ensure that N=p*q is an 
15 integer of 0 bits, p is selected within the range: 

|y 2 2(/-/ 0) -i 5 2'-'°_iJ 

And q is selected within the range: 

20 

LV2^,2 /0 -lJ 

For f 0 between 1 and fi. 

25 Thus, min(p)min(q) is between 2 C0 -1 and N, and 

max(p)max(q) is between N and 2 f as required. 

In this way, condition ii) mentioned above is 
reduced to searching for prime numbers within the 
30 range: 
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The proposed solution makes use of the parameter 
n. This parameter n is the product of small prime 
numbers among which there may be found in particular 3, 
17, 2 16+1 , which prime numbers are usually used as public 
5 exponents- Thus, the probability that a pair (p,q) will 
correspond to a given future pair (e,l), which is 
already very high, rises even further when TI comprises 
such values. 

10 The f smallest prime numbers are selected, f 

being selected such that lliPi < 2B 0 , B 0 is the lower 
limit selected for C 0 . For example, B 0 may be selected to 
be equal to 256 bits. 

15 n is equal to the product: 2.3 191 and is less 

than 2 256 . 

This value n may then be stored in the card for 
example as a constant in the program read-only memory. 

20 

The first phase of the method consists in 
generating and storing a prime number k of short length 
compared to the length of an RSA key within the range 
of integers {0, n-1}, (k, 11) being co-prime, that 

25 is to say not having a common factor. 

The second phase then consists in constructing, 
from this number k, the first candidate q which 
satisfies the condition of being co-prime with n. 

30 

If this first candidate does not satisfy this 
condition, then it is updated, that is to say another 
candidate is selected, until a value of q which does 
satisfy the condition is found. 
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A description will now be given of the various 
steps of the algorithm for generating a prime number 
that is used in the calculation of an RSA key according 
5 to the invention. 

The proposed algorithm works regardless of the 
length lo given for the prime number q that is to be 
generated . 

10 

The generation of the prime number p is 
identical; all that is required is to replace q with p 
in the steps which will be developed and to replace do 
with {-{o. 

15 

After having set the limit Bo, the unique prime 
numbers v and w which satisfy the following conditions 
are calculated: 

2 0 V2 2 ' 0 " 1 <vn<V2 2 ' 0 " 1 +n 

2 e ° -n<wn<2'° 

This means calculating v and w by the following 
relations: 

25 

v = V2 2 '°" 1 /n 

w = 2'°/n 

Then, having taken k belonging to the 
30 multiplicative group Z*n of integers modulo n, the 
first candidate q is constructed such that 

q=k+j n for any j belonging to the range [v, 

w-1]. 
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Since k matches Z*n, the probability of having a 
prime first candidate q is high. If this is not the 
case, k is updated by taking k equal to ak(mod II) , a 
belonging to the group Z*T1, and the method is repeated 
5 until a value of q which corresponds to a prime number 
is found. 

One way of testing the primality of a number is 
for example to use the Rabin-Miller test. 

10 

The various steps of the proposed algorithm are 
specifically as follows: 

1) calculating parameters v and w from the 
following relations and storing them: 

15 v = V2 2/o_1 /n 

w = 2'°/n 

in which n is stored and corresponds to the 
product of the f smallest prime numbers, f being 
selected such that n < 2 B ° , 
20 2) selecting a number j within the range of 

integers {v, w-1} and calculating H=j II; 

3) selecting and storing a prime number k of 
short length compared to the length of an RSA key 
within the range of integers {0, TI-1] , (k, 11) 

25 being co-prime; 

4) calculating q=k+t, 

5) verifying that q is a prime number, if q 
is not a prime number then: 

a) taking a new value for k using the 
30 following relation: 

k = a k (mod FT) ; a belonging to the 
multiplicative group Z*n of integers modulo Ft; 

b) repeating the method from step 4); 
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6) recording a, k' j in order to use them to 
find q and then making use of q during a subsequent 
calculation to generate an RSA key. 

Instead of storing the value of q, the method 
will advantageous proceed as described below. 

A simple manner for carrying out this algorithm 
may consist, for each length of RSA key envisaged, in 
storing the values of k and j so as to reconstruct q. 

Rather than selecting a random number j as 
indicated in step 2), another embodiment may consist in 
constructing j from a short random number. 

For example, a number having a length of 64 bits 
is taken, which is referred to as the seed and is 
denoted or. This seed is then taken as the input value 
of a pseudo-random number generator PRNG, which will 
make it possible to generate j . 

j is then defined as PRNGi (a) (mod ( w-v) +v) . 

This embodiment makes it possible to considerably 
reduce the requirements in terms of memory space since 
only the values of o and k have to be stored in the 
EEPROM memory. The value of II is in the read-only 
memory (in the calculation program) . 

It is possible to further reduce the requirements 
in terms of memory space by acknowledging that: if k (0 j 
is the first value of k belonging to the group Z*II, 
then the prime numbers generated have the form: 
q= a f_1 k (0) mod n +j n 
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f being the number of failures of the test in 

step 4) . 

This value k (0 ) which belongs to the group Z*FI may 
5 be easily calculated from a short random seed, such as 
a for example, and using the Carmichael function of Ft 2 
denoted X (II) . 

Using this function, it is possible to express 
10 k (0 ) by the following relation: 

k (0 , = [PRNG 2 (a)+b PRNG3(a> (PRNG 2 (a) Mn) -l) ] (modn) 
b being an element of order A, (II) belonging to 

z*n. 

15 , These two embodiments make it possible to reduce 

the requirements in terms of memory space since in this 
case all that will have to be stored is the value of 
the seed a and various values of f for the desired key 
lengths . 

20 

For RSA keys having a modulus of greater than 
2048 bits, the numerical experiments that have been 
carried out by the inventors show that f is equal to 2 8 . 
This means that f may be encoded on 1 byte, i.e. 8 
25 octets. 

By way of example, for generating RSA keys having 
a length ranging from 512 to 2048 bits with a granulity 
of 32 bits, there are 49 possible key lengths. It is 
30 thus necessary to store- on the card one byte, i.e. 8 
octets, corresponding to the value of a. It is also 
necessary to store the values of f for the prime 
numbers p and q, i.e. 2*49=98 octets. This makes a 
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total of 106 bytes, i.e. 848 bits, in the EEPROM 
memory. 

A final embodiment that makes it possible to 
5 reduce the memory space consists in storing in the 
calculation program, that is to say in the program 
memory, a number of values of n and the corresponding 
values of A,(n) for various envisaged key lengths. It 
may be noted that a large value of n leads to the 
10 smallest values for f. 

As has been seen above, the prime number q 
generated according to step 4) by the algorithm which 
has just been described satisfies the condition: 
15 q = a f_1 k {0) mod n +j*n 

If e divides II, q can be expressed by the 
following relation: 

q = a f_1 k (0 ) mod(e) 

20 

In order that condition (i) mentioned at the 
start of the description is satisfied, a must be 
selected such that a=l (mod e) and k must be forced to 
be different from 1 (mod e) . 

25 

The prime number q obtained thus satisfies the 
relation q = k (0 ) different from 1 (mod e) . 

The generation of the prime number p is identical 
30 except that q is replaced with p in the steps which 
have been developed and lo is replaced with l-lo. 



As has been mentioned, the program that 
implements the method of the card does not a priori 
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need to know the public exponent e. This exponent can 
therefore be provided at any moment by an application 
loaded into the card. 

5 However, it is known that, for most applications 

(more than 95%), the values of e that are used are the 
values {3, 17, 2 16 +1}. 

In order to cover the greatest number of 
10 applications, a will preferably be selected such that a 
= 1 mod ({3, 17, 2 16 +1}) and k (0) must be different from 
this value: 1 mod({3, 17, 2 16 +1}). 

For example, the prime number R = 2 64 -2 32 + l is 
15 selected as a possible candidate for a, with the 
proviso that the greatest common divisor of n and R is 
equal to 1. 

The required condition for k {0) may be obtained by 
20 the Chinese Remainder Theorem. 

As already mentioned, another alternative may 
consist, in respect of step A-l), in calculating pairs 
of prime numbers (p,q) for various probable pairs 
25 (e, 1) . 

In conclusion, the invention proposes a method 
consisting of two separate steps, in which the second 
step, which is very quick compared to the known 
30 solutions, can be carried out in real time. This method 
also takes up a relatively small amount of memory 
space . 
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Moreover, there is no limit in terms of new 
applications not provided at the time of 
personalization of the card. 



